Written by: Mike Talon
One of our site visitors asked a pretty popular question recently: “What, exactly, is Breach and Attack Simulation (BAS)?” Let’s dive in and have a look at this form of security control testing.
So, what are “security controls?” Simply put, a security control is anything that limits the ability of a threat actor to accomplish their goal, or otherwise stop even a legitimate user from doing something they shouldn’t.
Security controls can be devices/software or policies – and both are critical to making sure that everything stays safe in your organization. Common examples of devices and software include things like anti-malware tools, firewalls, web filters, and email filters. Examples of policies are Bring Your Own Device (BYOD) rules and company regulations that inform employees as to which websites are acceptable and unacceptable to view at work.
Security controls are powerful tools for any organization, but they can be complex and difficult to manage. An enterprise anti-malware platform may have dozens of pages of settings and configuration options, and setting something incorrectly can have consequences ranging from leaving the company open to attack through preventing users from getting their jobs done.
Because of the complexity of these solutions and policies, there are times where even the best security and IT teams make mistakes and accidentally weaken security. A single mistake can wind up costing the business millions of dollars, not only in lost revenue but also in lost time and loss of reputation.
Add to this the fact that the cybersecurity landscape changes on a daily – sometimes hourly – basis. A minor bug in an application’s code that caused no problems yesterday can become an easy port of entry for an anxious entrepreneurial cybercriminal to exploit today.
So despite all your security controls working perfectly, there can still be weaknesses that a threat actor can use to their advantage. Worst of all, it can evolve so quickly that it might go undetected for months, and by the time the threat is finally spotted, it may be too late to recover.
Breach and Attack Simulation (BAS) is the answer to the question of how to make sure these weaknesses are found and addressed without breaking the network or the bank. At its core, BAS is exactly what it says on the tin – a platform that is designed to perform actions that closely mimic real threat actions to determine if they are caught by your security controls.
This can be anything from placing files that are indistinguishable from malware (but not actually dangerous to your systems) onto a machine to see if the anti-malware tool catches them; to attempting to send data traffic through a firewall or malicious email through an email filter.
BAS uses a set of complex attack scenarios that attempt to bypass these control systems to reach a specific goal. If that goal can be reached (such as traffic making it through a firewall or an email being delivered to an end recipient), then the BAS platform has helped to uncover a flaw in that control that needs to be remediated
Cymulate, for example, has multiple simulations designed to test a variety of vectors (pathways that can be used to gain access to systems and resources). Email Gateway vector simulations send emails that should definitely be blocked by your spam filters. Endpoint vector simulations drop files that will be identified as malware onto disks to see if anti-malware tools detect them.
That simulation can even execute files so that behavioral-based detection systems will see identifiable activity and jump into action, but in a safe and controlled manner to avoid creating even more risk in the process. Web Application Firewall (WAF) simulations attempt to trick a web server into giving up information or performing actions that it should not – An activity that must be stopped before it ever reaches the actual web server itself.
BAS is also designed to be run repeatedly; even automated to make the process of keeping security tight and up-to-date, making it easier for the organization to handle. The tests are designed not to interfere with production operations, working quietly behind the scenes so that users don’t even notice them running unless the vector is something like Phishing Awareness which tests employee vigilance.
Combined, these two properties of BAS allow your IT and/or security teams to test whenever they need to, rather than waiting for scheduled change-control times. And unlike manual penetration testing or complex vulnerability scanners, BAS tools like Cymulate are designed for even those who are not security experts to use effectively and efficiently.
This means that you can take advantage of a higher level of security without increasing headcount or outsourcing to a specialized firm. While it cannot remove the need for manual pen-testing (especially if required by regulations), it can dramatically reduce the number of manual pen-tests you need to do in many cases, which impacts the overall security posture, and on the bottom line.
BAS solutions test the security controls of your environment without impacting your end-users or requiring extensive cybersecurity knowledge. You can confirm that all of the security controls you put in place are working effectively and doing everything you expect them to be doing. You can quickly confirm that you are protected against the latest threats.
Finally, you can test repeatedly – and whenever needed. More importantly, if there are any weaknesses discovered anywhere, you can find the information you need to remediate the problem and close the gap quickly and completely. BAS is the method that tests everything else you have in place from a security perspective and allows you to stop speculating on if your security posture is where it needs to be.
With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you’re exposed and how to fix it—24/7 regardless of where you are. Whether you’re working from the comfort of your living room, at a local café, or even while relaxing on the beach.
Please do not hesitate to reach out to us at firstname.lastname@example.org to learn more about Cymulate and if BAS is the right solution for you.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.